Darren didn’t know his email newsletter had been hacked until he started to get hundreds of angry emails filling his inbox with nasty threats. He plunged in immediately to determine the problem and responded back by posting announcements on his effected blogs and emailing his newsletter mailing list, and then emailing each individual who emailed him explaining what had happened and apologizing for the criminal activity imposed upon him.

He moved fast and appeared to remain calm as he methodically responded to the attack. And he learned some lessons, including how he turned a negative into a positive, gaining more readers and fans in the process.

A couple months ago, a hacker publicly announced his list of WordPress blogs he was going to hack due to a security flaw in WordPress. This came right as the security flaw was patched in WordPress 2.0.7. Those on the hackers list who didn’t upgrade were vulnerable, and many were hacked, their blogs defaced. Each were warned as soon as the news came out by fans and web watchers, but some were still attacked. The blogosphere took care of their own and many helped out to restore the defaced blogs as fast as possible.

Not long after, news hit that a hacker broke into WordPress and contaminated the latest version of WordPress. The site was shut down immediately and the international crew of WordPress developers moved in to clean up the mess and prevent this from happening in the future. The announcement came out 12 hours later alerting everyone to update their WordPress version, no matter what version, and asked WordPress fans around the world to spread the word.

Update WordPress Regularly

Yes, upgrading WordPress is a pain, though there are now WordPress Plugins like WordPress Automatic Upgrade WordPress Plugin that promise to make the process easier. The threat of losing some of our most valuable WordPress Plugins or the possibility of breaking our WordPress Theme with serious upgrades makes the decision to upgrade a nervous one.

Protecting your blog from security flaws and vulnerabilities is critical to keeping your blog safe, so don’t use Plugins and Theme issues to justify not upgrading. It only takes one open door for a hacker to enter, and you want to make sure those doors are closed as fast as they are found.

There are two types of upgrades available currently in WordPress. One is for the latest version, with all the improvements and security fixes. The other only includes the security patches and bug fixes for an older version. These versions are called “branches”.

Currently, to upgrade WordPress to the latest version, you would use the WordPress 2.2 branch. To upgrade along the WordPress 2.0 branch, you would use the latest version in that line.

WordPress 2.2 brought some changes to some template files and database tables, which caused some popular WordPress Plugins to break in the upgrade. Many of these WordPress Plugin authors had already upgraded their Plugins to be compatible with the new version, others moved a little slower, making a lot of users unhappy.

When making a major upgrade, check for the latest version of:

The WordPress Plugins that your blog is dependent upon.

Your WordPress Theme.

If you make changes to the WordPress core programming, which is not recommended as many of these can be achieved with a WordPress Plugin, make sure to keep a text file with all the notes and details of all the changes you have made. Store this in a safe place or in the wp-content folder, the one not impacted by upgrades, so you can refer to it after an upgrade.

With this as a guide, you can redo the customizations you made that may have been overwritten in the new version.

Update WordPress Plugins and Themes Regularly

Work is underway in the next version of WordPress to make it easier to get news of updates to WordPress Plugins, and hopefully it will include WordPress Themes. Until then, it’s critical that you check regularly for upgrades for the WordPress Plugins and Themes you use.

Currently, there is nothing similar for WordPress Plugins to check for security flaws and issues, though there are rumors that someone is working on one.

Check with the WordPress Theme and Plugin author for updates on a regular basis. From the Plugins panel, you can click on the link to the Plugin’s official page to see if they have released an update or have news you need to know about running the Plugin on your blog.

From the Presentation panel, you can do the same thing with your WordPress Theme.

If you developed and designed your own WordPress Theme, it’s important to keep up with potential flaws and security risks you may have inadvertently included of your own accord or from code you copied from another WordPress Theme or article. I recommend you add the Blog Security blog to your feed reader as well as Mark Jaquith, Weblog Tools Collection, and the WordPress Development Blog to keep track of such announcements.

Also check the WordPress Codex, the online manual for WordPress Users, regarding the new version. There are often pages added which list Plugins and Themes reported compatible with the latest version.

Search the Theme Files for http://: Search the template files and check every link reference within the files. If there is a link going somewhere you don’t want it to go, remove it or try another Theme.

Search for “script”: Search your template files for the word “script”. This indicates a Javascript. It could be a safe one, put there to help with the design, thus it would be mentioned within the Theme’s readme file or the link would go to a file within your Theme’s folder you could check to see what the script does. If it links to an off-site location, or looks suspicious, it might be.

View the Generated Page Source: Using your browser’s View > View Page Source feature, view the source code for your generated WordPress blog’s web page. You might not understand all of it, but look closely at all the code to see if something it linking to an off-site location or a bit of code that looks odd or like an advertisement. It could be.

Protect Your WordPress Blog Files

Remove the Version Meta Tag: In your blog’s header.php template tag, remove the meta tag named “generator” which states which version of WordPress you are using. Why help hackers know which version you are using so they can easily choose the scalpel to hack away at your blog.

Prevent Access to Your WordPress Folders: If you check your Plugins directory in a browser with http://www.example.com/wp-content/plugins you may see a listing of all of the Plugin files and directories. So can everyone else. The same may go for some of your other WordPress directories. There are a few ways to deal with this.

Add disallow to your robots.txt file for these directories to stop search engines and other bots from indexing them.

While these seem easy, there are some drawbacks. If you restrict access to the wp-admin directory, it may block registered users from seeing parts of the Administration Panels, especially if they log on with a different IP address than they normally use. As I travel a lot, I frequently log in from various IP addresses, which would mean this method wouldn’t work for me.

Change File Permissions: You can set some of your files and directories to allow various degrees of access, be it to totally prevent all access to changing the file in any way, to only allowing access to change a file by a user/program authority. “Changing File Permissions” from the WordPress Codex explains how to change those file and folder permissions on your server, but if you do change them to make them have temporary wide open access, change them back afterwards.

Prevent Login Access

…Login LockDown takes a different approach. Every failed login attempt is recorded, along with the timestamp of the attempt and the IP address of the user. If a user tries (and fails) to log in too many times within a certain time period, the system then blocks any login requests coming from that IP range until the lock-out is released. The lock-out period defaults to 1 hour, although that can be changed within the admin panel. The number of retires and the time period that they occur within in order to trigger a lock-out are also configurable from the admin section, and admins do have the ability to release an IP block manually (assuming of course that they haven’t locked themselves out).

Monitor Your Blog For Downtime and Breakdowns

A blog can break for many reasons, though rarely caused by evil doers. It’s usually something the blog owner has done that breaks the blog. The breakdown can happen immediately, or be overlooked, or happen unpredictably.

Before installing and activating a WordPress Plugin or Theme, or making any changes to your WordPress blog, back it up! This way, if something does happen, you have a replacement to put it right – back to the time and place where it was last right.

It also helps to monitor your blog for problems by checking your blog’s feeds or using a site monitoring service.

Don’t tell people your password, put it in emails, or publish it (you think I’m kidding? It happens.)

If you change file permissions, change them back.

RTFM. Read tutorials, guides, instructions, and readme.txt files and follow them to the letter. They were written for a reason – with you in mind – so follow them first, before rushing to the Support Forums.

If you need help, don’t ask me first. Search first, check the WordPress Codex, then hit the Support Forums appropriate for your version of WordPress.

If you are not technically included, and the underlying code terrifies you, don’t go digging. Use a WordPress Plugin to make the changes you want, or get someone who knows what they are doing to do it for you, or help teach you how to do it yourself.

While I love the Sandbox Theme, many Themes do not include Javascript and can be designed only through the CSS. They aren’t “skins” by the way. A “skin”, by traditional definition, only changes the surface. WordPress Themes include programming language which makes them “beyond skins”. We try to name things properly around here to avoid confusion. 😀

WordPress Plugins, however, often add Javascript. Because not all WordPress Plugin authors are really knowledgeable about security risks and issues involving such things, we need to do more to educate them on how to write more secure code.

yes, lorelle, themes are not skins. all the entries for the sandbox competition, and all the designs listed under the “customcss” tag are SKINS, not THEMES. engtech is right.

Otto’s made the point on the wp-hackers list several times that hackers do not check your blog for the _presence_ of a vulnerability before hacking it (it’s an unnecessary HTTP request, since the attack vector is another HTTP request, there’s no incentive to do it twice). removing the “generator” link isn’t necessarily great advice in that regard.

Removing the generator tag is arguably safer, insofar as Google and other search engines can index based on that information, thus providing “hackers” the ability to quickly compile a list of potential targets through use of these search engines. So in theory, it’s a good idea.

In practice, I doubt it actually makes much, if any, difference. Still, it’s not along the same lines as what I was talking about in wp-hackers, because the generator line causes you to potentially be included in a list that is theoretically likely to be compiled.

As was publicly announced not long ago, there were a couple of hackers who searched for a specific “vulnerable” version of WordPress and sought them out to do evil, justifying their reasoning as a way to call attention to the vulnerability. I can’t speak for their righteousness, but I believe that any excuse is a good excuse when you’re out to cause trouble. So why invite it, as Otto says.

What good does it do anyone to provide the generator info anyway? Does it help search engines change how they move through the site? Does the information benefit WordPress in any way? If it don’t help, clean out the clutter. 😀

As for the “skin” reference, I wasn’t thinking about the contest or collection of “skin” versions of the Sandbox Theme but the general labeling of all WordPress Themes as “skins”. I should have been more clear on that. Thanks.

I’m not sure if this is related to security or not, but is there something going on with your feed? For the past week or so Sage has told me that the feed is loading for as long as I let it sit there and think.

Hi Lorelle, this is my first visit to your blog. It’s really great, very helpful!

This article has really opened my eyes. There is so much to do with blogging, beyong the actual act of enjoying writing articles and publishing content. There are so many out there looking to spoil someones fun/creation.

Another tip to improve subfolder security – if you drop a blank index.htm or index.html file into the subdirectory, it prevents people from doing a directory listing and looking at the files there. It won’t stop accessing those files directly, but it will prevent people from getting a whole directory list and seeing everything (and accessing it) easily.

Hi! I have 5 sites! Today, all 5 of them were either hacked or wordpress crashed. I’m thinking it was the former. Your information is very helpful. Since, I don’t quite know how to execute it; I’ll have my son review it. Many Thanks. I av very grateful. By the By: I recovered all my articles! Yeah!

Re: this advice: “Remove the Version Meta Tag” -> There’s no point in doing this. The WP version seems to be readable from wp-links-opml.php, wp-rss.php, wp-commentsrss2.php, wp-version, wp-rdf.php and wp-rss2.php as I found out today from the WP security scanner here: http://blogsecurity.net/cgi-bin/wp-scanner.cgi

Removal of information on which version of WordPress you are using is a very good idea. The less information you give to the potential hacker who searches for that information in order to exploit vulnerabilities, the better. Is that what you are talking about?

Note that removing the generator is not quite as easy anymore. If you really want to do it, it can be done, but WordPress changed to unify the generator tag in the core instead of letting it be all over the place.

This code in a plugin or the theme’s functions.php will do the trick:
add_filter(‘the_generator’,create_function(‘$a’, “return ”;” ));

That filters the generator function to return nothing at all, eliminating the generator code from *all* locations where it’s output.

I thought one way to show your appreciation for being able to use someone else’s plugin was to provide a link to their plugin page. If I’m reading your recommendation about protecting access to the plugin folders correctly, it is a bad idea to let others know whose plugins you are using. Is this correct?

@Tim: It is a great idea to tell the world about the Plugins you are using. That has nothing to do with protecting your Plugins folder on your server. Close that door, but let the words within your post content praise your favorite WordPress Plugins.

My blog was hacked today thanks for phpMyAdmin which helped me to get back access to my blog. Now i will have a very strong password to blog. One more thing I has done is As a matter of fact, wordpress stores all your details including your username and password in plain-text in the wp-config.php file in the directory. Now, if you have incorrect file permissions set, this sensitive information may be out in public. To make sure that doesn’t happen at least for this file, you can put this piece of code in your .htaccess file:

order allow,deny
deny from all

This will set the correct file permissions and will prevent anyone from viewing this file.

[…] Protecting Your WordPress Blog While most are familiar with fighting the evil of comment spammers, to help you prepare for possible hacking or problems on your WordPress blog, here are some tips. (tags: blogging howto security tips WordPress) […]